add lazy routes (PR #14544)

  • Version bump to v1.1.0.beta1
  • Version bump to v1.1.0.beta6b
  • FIX: 6to5 was renamed to Babel
  • SECURITY: log off all existing sessions when resetting password
  • SECURITY: XSS in poll errors dialog
  • remove s3 deprecation warning, we will continue to support it
  • Version bump to v1.3.0.beta8
  • Never enqueue posts from staff
  • SECURITY: expire all existing sessions if user changes passwords
  • SECURITY: expire all existing email tokens on password reset
  • FIX: Embedding posts was broken
  • SECURITY: Remove email validation check bypass
  • SECURITY: Make sure export CSV is generated via a POST
  • PATCH: in some cases this is being turned to a string workaround for now
  • FIX: if an enum is Fixnum do not allow strings to live in it
  • SECURITY: fix possible XSS expanding quotes
  • Version bump to v1.4.0.beta11
  • FIX: Double load sometimes on topic lists
  • FIX: notifications & messages were missing from user profile
  • FIX: properly filter badges when they’re on a whisper
  • Revert “FIX: properly filter badges when they’re on a whisper”
  • update install guide for Discourse 1.4
  • simplify install guide a tiny bit
  • emphasize reading the admin quick start guide
  • FIX: pikaday wasn’t working when using the mouse with a touch-enabled monitor
  • FIX: only disable the composer grip when the device is touch-only
  • FIX: Category Logo preview should not repeat
  • FIX: 1.4 welcome PM images needed update
  • FIX: when replying to a expanded reply, correctly attribute author
  • minor install guide tweaks
  • minor install guide tweaks
  • update readme images for 1.4
  • tweaks to readme
  • FIX: whispers should not be revealed in reply to, or reply expansion FEATURE: mark whisper as experimental FIX: badges should never apply to whispers
  • FIX: disable cloaked view while running ios positioning hack
  • FIX: replaceMarkdown should be smart about current caret position
  • FIX: Replies to whispers must be whispers
  • FIX: Allow mods/admins to search whispers
  • FIX: max_topics_per_day was not working
  • FIX: don’t use Safari hack on Windows Phone
  • Fix typo in restore & rollback confirm dialog
  • SECURITY: XSS in search results term
  • SECURITY: Moderators should not see API keys
  • SECURITY: Unread post notifications should respect whispers
  • FIX: Missing fallback logic
  • SECURITY: XSS Protection on Queued Posts
  • SECURITY: Backported XSS fixes from Handlebars
  • SECURITY: ensure we never accept fake images
  • SECURITY: Upgrade Ember to fix CVE-2015-7565
  • Revert “SECURITY: Upgrade Ember to fix CVE-2015-7565”
  • SECURITY: Upgrade Ember to fix CVE-2015-7565. Also upgrade Handlebars
  • FIX: Precompiler should apply get magic too
  • FIX: Rebake all HTML due to handlebars upgrade
  • SECURITY: user summary could show topic links you have no permissions to
  • SECURITY: fix XSS in lazyYT plugin
  • SECURITY: topic titles can show up in user page unescaped when streamed in
  • SECURITY: hoist blocks using guids, not md5 hashes
  • we still need md5
  • fix eslint
  • Backport PluginAPI to beta branch
  • SECURITY: strip HTML tags in topic title in email digest
  • SECURITY: only add elided part of email in PM
  • Version bump to v1.6.0.beta2
  • FIX: OFFSET wasn’t being applied correctly
  • SECURITY: 2 XSSs in post gutter and local oneboxes
  • FIX: Ensure unique fields in TopicList.preloaded_custom_fields.
  • SECURITY: update rack-mini-profiler
  • SECURITY: Unapproved, active users should not receive emails
  • SECURITY: restrict constantize classes in search controller
  • SECURITY: update logster
  • SECURITY: Possible SQL injection.
  • SECURITY: disable user entered badge SQL by default
  • SECURITY: limit route access when using external avatars
  • SECURITY: XSS in “Account Suspended” Messages and Badge Descriptions
  • SECURITY: SQL Injection in Admin List Active Users
  • SECURITY: Cross-Site Scripting in Category and Group Settings
  • SECURITY: Make sure uploaded_urls have corresponding upload records
  • FIX: Regression with escaping on badge page
  • SECURITY: Avoid mass assignment on user create
  • SECURITY: XSS issue on Admin users list
  • Revert “UX: Centering Badge notification styles on mobile.”
  • SECURITY: do cookie auth rate limiting earlier
  • FIX: wasn’t able to update category’s settings
  • SECURITY: Escape image title in lightbox.
  • SECURITY: Escape HTML in filename.
  • FIX: Travis failure
  • SECUIRTY: Escape input made to system calls.
  • SECURITY: Add filename validation for backup uploads.
  • FIX: Backup validation wasn’t escaping hyphens
  • Escape the hyphen
  • Create server.it.yml for details plugin
  • FIX: uploading custom avatar was always hidden
  • Backport get-owner API so plugins can use it safely
  • SECURITY: escape advanced search term
  • SECURITY: don’t grant same privileges to user_api and api access
  • SECURITY: fix reflected XSS with safe_mode param
  • SECURITY: protect upload params, only allow very strict filenames
  • SECURITY: update onebox gem
  • SECURITY: prevent reuse of password reset
  • SECURITY: Users can only bookmark posts which they can see.
  • SECURITY: Moderators should not be able to access customizations
  • FIX: don’t onebox to IP addresses
  • Update copyright year
  • Update INSTALL-cloud.md
  • Allow for a custom hub server
  • Update INSTALL-cloud.md
  • add Hacker One page to security.md
  • Migration script from Drupal 6
  • Fix typos
  • Run Travis against 2.4.0 as well.
  • Fix typo.
  • FIX: Can’t add categories when creating a new web hook.
  • Make eslint happy.
  • FIX: Respect site setting to hide username in mailing list summary.
  • Revert “Run Travis against 2.4.0 as well.”
  • FIX: Login modal on mobile does not submit on enter.
  • UX: Observe changes to plugin to hide/show plugin admin link without refresh.
  • Make eslint happy.
  • UX: Display large numbers with delimiters.
  • FIX: Add validation to disallow censored words in topic title.
  • oops fix specs.
  • Experimental feature to load gemfiles from plugins
  • FIX: an image can be shown twice in summary emails
  • FIX: Don’t allow formatting in titles when quoting other topics
  • Revert “Experimental feature to load gemfiles from plugins”
  • handle emails with localized headers :angry:
  • Plugins can register providers for global settings
  • Display tabs with smaller widths for code blocks
  • use table prefix in bbpress import script
  • update mobile android screenshot for 1.7
  • Don’t give notifications to admins for trust level notifications
  • SECURITY: disallow csv as default upload file type
  • Add more info in staff action logs for blocking a user, and add logging for lock trust level, activate, and deactive user
  • Staff action logs explain when system is deleting a post because author marked it to be deleted
  • Don’t show email of deleted users in staff action logs
  • Don’t display email addresses in staff action logs for revoked email
  • switch from “API Requests” to “Pageviews”
  • Use a different Redis key when PG failover sets site to readonly mode.
  • FIX: Perform emoji unescape for topic titles in quotes.
  • Use any orientation for web app manifest.
  • remove ‘already initialized constant’ warning
  • FIX: only allow CSV file to be uploaded for bulk invite
  • Let’s not notify for trust levels on Staff, either
  • more specs for staff action logging
  • bbpress: Use nicename if display_name is missing
  • use .presence rather than DIY checking
  • bump onebox
  • FEATURE: new ‘max_image_megapixels’ site setting
  • FIX: add noopener to website field in user profile
  • FEATURE: Log admin action when readonly mode is changed.
  • Make mention bot assign reviewers for collaborators as well.
  • Oops.
  • Fix syntax error.
  • UX: Truncate topic link title/URL on desktop to prevent overflow.
  • Update Translations
  • FEATURE: Better error message when incoming e-mail is missing a Date: header
  • Remove lines that are no longer valid.
  • Version bump to v1.8.0.beta2
  • FIX: log backups download/destroy staff action
  • Fix broken emojis.
  • SECURITY: Prevent large onebox downloads, better timeout support
  • UX: less restrictive selector to allow for plugin outlets
  • SECURITY: correctly validate input when admin searches for screened ips
  • new: server plugin outlet for indexable robots.txt
  • Version bump to v1.8.0.beta6
  • SECURITY: inactive/suspended accounts should be banned from api
  • SECURITY: Ensure that user has been authenticated.
  • Revert “SECURITY: Ensure that user has been authenticated.”
  • SECURITY: Ensure oAuth authenticated email is the same as created user’s email.
  • FIX: Mobile topic timeline broken on Chrome 56.
  • Revert “SECURITY: Ensure oAuth authenticated email is the same as created user’s email.”
  • SECURITY: Only allow users to resend activation email with a valid session.
  • FIX: Store user’s id instead for sending activation email.
  • SECURITY: always allow staff to resend activation mails
  • SECURITY: Don’t use backticks for exporting your archive
  • SECURITY: Disallow symlinks when restoring uploads.
  • SECURITY: CSRF vulnerabilities in Admin::BackupsController.
  • Update facebook login gem
  • SECURITY: do not send push notifications to suspended users
  • SECURITY: prefer render plain/html to render text where possible
  • SECURITY: XSS issue in share popup if invalid link is passed in.
  • FIX: Show share popup only for valid buttons.
  • FIX: Regression when clicking on post date
  • Disable failing JS tests first.
  • SECURITY: Validate the entity when downloading a CSV
  • Revert “Load posts in batches while indexing problem posts.”
  • SECURITY: Vunerability in mail gem
  • FIX: Don’t run in testing mode
  • Revert “Skip validations when Discobot creates new posts.”
  • FIX: automatic PNG-to-JPEG conversion should use a default white background
  • FIX: PNG-to-JPEG conversion should only be done to images with at least 1 megapixels
  • FIX: Bot should only respond to regular posts.
  • FIX: Ensure that we cancel any timeout jobs when terminating a track.
  • Move the constant as well.
  • FIX: Bot mentioned check should be case insensitive.
  • FIX: Always allow the host the forum is hosted on
  • FIX: image orientation wasn’t properly working
  • FIX: Topic Entrance wasn’t showing up on some suggested topics
  • FIX: include canonical meta tag on category pages
  • SECURITY: Remove disposable invite feature
  • FIX: Allow discourse app to link directly to wizard
  • Revert “UX: Don’t try to figure out root domain.”
  • FIX: Exclude www in topic map links.
  • SECURITY: Do not show latest/top topics on 404 for login_required sites
  • SECURITY: Only publish PM reply messagebus notifications to allowed users
  • SECURITY: Prevent users from updating to blacklisted email domains
  • FIX: Users should be able to activate their emails even if unapproved
  • SECURITY: Update Nokogiri.
  • FIX: wasn’t able to save watched/tracked/muted categories/tags
  • Revert “A safe way to create class variables in a multisite environment.”
  • FIX: Remove unused mixin
  • SECURITY: Fix XSS on unsubscribed page.
  • SECURITY: verify that inviter can invite new user to a topic
  • SECURITY: signup without verified email using Google auth
  • SECURITY: prevent staged accounts from changing email
  • SECURITY: Any group can be invited into a PM.
  • SECURITY: Don’t pass email backup token to sidekiq as a parameter.
  • SECURITY: email domain whitelist could be bypassed
  • SECURITY: Prevent robots from indexing more routes
  • SECURITY: correct local onebox category checks
  • SECURITY: ensure users have permission when moving categories
  • SECURITY: Oneboxer should escape the URL before processing
  • FIX: dragging of timeline was flaky on iOS
  • improve prev hack
  • clean up drag on iOS handling, we need it bound earlier
  • SECURITY: remove alert dialog from local dates
  • drop ruby 2.3 testing
  • Monkey patch in net/pop: make modified strings mutable · ruby/ruby@7830a95 · GitHub
  • SECURITY: update sprockets for CVE-2018-3760
  • Link updated
  • SECURITY: prevents XSS when showing tooltip
  • SECURITY: category badges should HTML escape names
  • SECURITY: Do not allow authentication with disabled plugin-supplied a… (#6071)
  • SECURITY: extra CORS headers should be set on correct host
  • FIX: returns provider_not_enabled error even if enabled
  • SECURITY: Consider 0.0.0.0 a private IP
  • FIX: Remove plugin.enabled? checks at initialization time (#6166)
  • SECURITY: force IM decoder based on file extension
  • SECURITY: force IM decoder based on file extension - part 2
  • SECURITY: force IM decoder based on file extension - part 3
  • FIX: Remove return statement from inside block
  • SECURITY: prevent use of X-Forwarded-Host to perform XSS
  • SECURITY: Prevent users from modifying custom fields
  • SECURITY: correct edge case when SSO provides unvalidated emails
  • FIX: Uploads not being linked correctly to posts.
  • FIX: ignore and log bad json values for custom fields
  • FIX: ensures we have a color for reports (#6396)
  • Add extra protection in Upload#get_from_url.
  • DEV: Print the error class in uploads:list_posts_with_broken_images.
  • New rake task uploads:recover.
  • Fix incorrect variable.
  • Add dry run option to UploadRecovery.
  • Fix s3 recovery from tombstone in UploadRecovery.
  • Rescue errors when running dry run for UploadRecovery.
  • Add basic test case for UploadRecovery.
  • Fix the build.
  • FIX: Do not try to recover invalid Upload#short_url in UploadRecovery.
  • Accept custom AR relation for UploadRecovery.
  • DEV: Avoid using send and make the method public instead.
  • FIX: Onceoff job to recover missing post uploads.
  • Backward compatibility for dropping functions in ColumnDropper.
  • SECURITY: remove admin memory diagnostics routes
  • SECURITY: correct XSS on long topic titles
  • FIX: in redis readonly raise an exception from DistributedMutex
  • FIX: correct readonly timeout
  • FIX: Onceoff job to fix missing user profile backgrounds.
  • Fix onceoff job in FIX: Onceoff job to fix missing user profile backgrounds. · discourse/discourse@cfa7173 · GitHub not running.
  • Fix UploadRecovery from S3 fails with bucket name containing sub-folder.
  • SECURITY: update loofah for CVE-2018-16468
  • FEATURE: adds list#(unread|new) to user api key routes (#6494)
  • FEATURE: adds latest to user-api-key session scope
  • UX: bumps the user-api-key version to 3 (#6526)
  • SECURITY: update rack from 2.0.5 to 2.0.6
  • SECURITY: enforce hostname to match discourse hostname
  • FIX: incoming email matches the wrong user if null bounce key available in db
  • FIX: properly secure poll message bus
  • DEV: Don’t publish post messages to non-human users.
  • SECURITY: Require groups to be given when inviting to a restricted category. (#6715)
  • FIX: Do not serialize user fields unless they are specified for display (#6736)
  • FIX: remove slow platform detection from server side
  • SECURITY: do not delete avatars uploads when deleting accounts
  • DEV: anonymizing should not delete uploads
  • SECURITY: Users can pick non-avatar uploads.
  • SECURITY: escape title HTML for inline onebox
  • SECURITY: fix possible XSS with badges (#6912)
  • Merge diffs from master
  • SECURITY: Escape HTML in dashboard report tables
  • FIX: Bump onebox version to include imgur security fix
  • FIX: Bump onebox version to include imgur security fix
  • SECURITY: Do not leak private group names. (#7008)
  • FIX: Fix failing test.
  • DEV: Improve test.
  • FIX: unable to create new categories
  • REFACTOR: Proxy letter avatars in rails instead of nginx
  • SECURITY: bypass long GET requests
  • SECURITY: properly validate return URL for SSO
  • FIX: Sometimes queued post would have a string for a category
  • SECURITY: Remove XSS in composer preview when applying image scale buttons.
  • SECURITY: Update Handlebars to 4.1
  • FEATURE: enable NGINX brotli support unconditionally
  • FIX: ensures we have touches when starting pan event (#7435)
  • SECURITY: avoid use of send in favor of public_send
  • SECURITY: Bump Handlebars to version 4.1.2
  • SECURITY: Add confirmation screen when logging in via email link
  • SECURITY: Add confirmation screen when logging in via user-api OTP
  • SECURITY: Escape email text for posts containing [details].
  • SECURITY: XSS in routes
  • DEV: Respond with error 400 to uploads requested via XHR
  • FIX: Don’t send notification email when user isn’t allowed to see topic
  • FIX: creating new badge is failing on empty SQL query (#7837)
  • SECURITY: Strip HTML from invite emails
  • SECURITY: XSS with title selector on preferences page
  • SECURITY: Upgrade lodash
  • SECURITY: SQL injection with default categories
  • SECURITY: XSS when displaying watched words in admin panel.
  • Fix the build.
  • SECURITY: Validate backup chunk identifier
  • SECURITY: Add confirmation screen when connecting associated accounts
  • SECURITY: Sanitize email id for use as mutex key
  • Revert “FEATURE: add Noindex to robots.txt for disallowed routes”
  • FIX: Disallow user self-delete when user posted in PMs
  • SECURITY: Restrict message-bus access on login_required sites
  • SECURITY: don’t reveal category details to users that do not have access
  • SECURITY: add rate limiting to anon JS error reporting
  • Revert “FEATURE: Use configured quotation marks in fancy topic title”
  • FIX: add_to_serializer not correctly accounting for inheritance chains
  • PERF: no point updating the same columns twice
  • SECURITY: Reset password when activating an account via auth provider
  • FIX: When activating a user, ensure the change is reflected immediately
  • FIX: When activating via omniauth, create tokens after password reset
  • PERF: avoid filtering shared drafts when not used
  • FEATURE: anon cache reports data to loggers
  • FIX: report cached controller and action to loggers
  • FEATURE: track date api key was last used
  • SECURITY: XSS when oneboxing user profile location field
  • SECURITY: update rack-mini-profiler to latest to correct XSS
  • SECURITY: update rubyzip dependency
  • SECURITY: Don’t allow base_uri as embeddable host if none exist
  • Merge diffs from master
  • SECURITY: mini profiler enabled incorrectly for admins
  • PERF: Add unique index oauth2_user_infos(user_id, provider) (#8230)
  • PERF: Add index on group to category_groups (#8231)
  • FIX: allow storage of non unique rows in oauth2_user_infos
  • SECURITY: Check permissions when autocompleting mentions
  • DEV: Update users controller spec following user_search update
  • FIX: Respond to user search correctly when category_id is blank
  • FIX: oneboxer.js infinitely retrying failed requests (#8414)
  • DEV: use Discourse.cache over Rails.cache
  • DEV: Implement a faster Discourse.cache
  • DEV: s/$redis/Discourse.redis
  • SECURITY: Remove event handlers from SVG files
  • SECURITY: Ensure only image uploads can be inlined
  • SECURITY: upgrade rack-mini-profiler to avoid possible XSS (#8537)
  • SECURITY: vulnerability in WildcardUrlChecker
  • SECURITY: Correct permission check when revoking user API keys
  • DEV: Update Bundler (#8583)
  • FIX: cache_critical_dns was erroring without IPAddr
  • FIX: Use cached MaxMind DB for longer
  • SECURITY: Improve second factor auth logic
  • FIX: group membership leak
  • SECURITY: use strict JSON parsing when parsing backup metadata
  • Revert “SECURITY: use strict JSON parsing when parsing backup metadata”
  • SECURITY: use strict JSON parsing when parsing backup metadata
  • SECURITY: Do not create a notification if a staged user post gets quoted/linked inside a restricted category
  • FIX: groups pagination was broken
  • Merge diffs from master
  • FIX: Ensure sourcemap’s source is correct. Uses the full assets path this time. (#8774)
  • DEV: Bump omniauth-github from 1.3.0 to 1.4.0 (#8924)
  • Merge pull request from GHSA-vw39-6w7q-gfx5
  • FIX: Prettier on iframed-html component
  • FIX: allows to select the action when agreeing with penalty (#9099)
  • SECURITY: Ensure the invite JSON API matches the UX
  • SECURITY: Add more restrictions on invite emails
  • Revert “FIX: Don’t allow people to clear the upload bucket while it’s enabled”
  • FIX: last ip address could point at wrong ip
  • Let’s not log the username/password
  • FIX: Ensure show_short URLs handle secure uploads using multisite (#9212)
  • DEV: Load plugin stylesheets before theme stylesheets (#9240)
  • SECURITY: Respect topic permissions when loading draft metadata
  • SECURITY: Ensure user can see group and group members
  • Merge diffs from master
  • FIX: prevents constant composer reloading (#9528)
  • FIX: fails gracefully if :scope is not handled by a browser (#9529)
  • SECURITY: Update onebox to add rel=“noopener”
  • FIX: reverts to use an observer to support loading more notifications (#9628)
  • SECURITY: ERB execution in custom Email Style
  • SECURITY: Use FinalDestination for topic embeds
  • SECURITY: make find topic by slug adhere to SiteSetting.detailed_404 (#9898)
  • Update category_featured_topic.rb (#10121)
  • SECURITY: Add content-disposition: attachment for SVG uploads
  • Support plugin and Theme compatibility version manifests (#9995)
  • DEV: upgrade mini_racer and libv8
  • DEV: Refactor anonymouse cache spec.
  • SECURITY: 413 for GET, HEAD or DELETE requests with payload.
  • FIX: Exclude DELETE methods from invalid request with payload.
  • Update rails_failover to 0.5.5.
  • FIX: allow plugin pinning to fetch missing commits
  • Merge diffs from master
  • FIX: Backups should use relative paths for local uploads
  • SECURITY: Don’t allow moderators to list PMs of all groups.
  • SECURITY: Remove indication that a group exists if user can’t see it.
  • DEV: Address review comments for 5ed84d9885b.
  • DEV: Correct use of sanitize_sql_array in TopicQuery.
  • SECURITY: return error on oversized images
  • Merge diffs from master
  • DEV: Add support for api-initializers to reduce boilerplate.
  • SECURITY: Ensure users can see the topic before setting a topic timer. (#10841)
  • FIX: Confirm new email not sent for staff if email disabled with “non-staff” option (#10794)
  • Merge diffs from master
  • FIX: Prevent slow bookmark first post reminder at query for topic (#11024)
  • FIX: Remove 4 month limit on IgnoredUser records (#11105)
  • FIX: Add dummy themes:update task (#11261)
  • FIX: stop including GlobalPath in default context (#11323)
  • FIX: correct cdn path (#11324)
  • Bump onebox gem to 2.2.1
  • msgpack 1.4.1 was yanked - use 1.4.2
  • SECURITY: Rate limit MFA by login if possible (#11938)
  • DEV: Move logic for rate limiting user second factor to one place (#11941)
  • FIX: process new invites when existing users are already group members (#11971)
  • SECURITY: Attach DiscourseConnect (SSO) nonce to current session (#12124)
  • FIX: do not send rejection emails to auto-deleted reviewable users (#12160)
  • SECURITY: Fix is_private_ip for RateLimiter to cover all cases (#12464)
  • FIX: automatically timeout long running image magick commands (#12670)
  • FIX: Replace use of regular expression (#12838)
  • FIX: Gracefully handle inline images in emails (#12855)
  • SECURITY: Bump Rails to 6.1.3.2 (#12963) (#12964)
  • Revert “DEV: Drop old IE11 intersection-observer references” (#13017) (#13018)
  • SECURITY: XSS in bookmarks list (#13311)
  • SECURITY: ensures timeouts are correctly used on connect (#13455)
  • SECURITY: Onebox canonical links bypassing FinalDestination checks
  • FIX: TL4 users cannot delete others posts (#13554)
  • SECURITY: Validate period param for top topic routes (#13818)
  • SECURITY: Do not reveal post whisperer in personal messages.
  • SECURITY: Don’t leak user of previous whisper post when deleting a topic.
  • DEV: Make rubocop happy.
  • SECURITY: Sanitize d-popover attributes (#13958)
  • SECURITY: User’s read state for topic is leaked to unauthorized clients.
  • SECURITY: Destroy EmailToken when EmailChangeRequest is destroyed (#13950) (#14024)
  • SECURITY: escape cat name (#14156)
  • Merge diffs from main
  • Revert “Build(deps): Bump oj from 3.13.2 to 3.13.3 (#14202)”
  • SECURITY: Escape watched word in error message (#14434)
  • DEV: add routes_lazy_route to boost boot-up time

GitHub

A commit that appears in this pull request is being discussed here.

A commit that appears in this pull request is being discussed here.

oops … fixing this …